In existing systems, logical access to remote information systems is often dependent upon proof of possession of the private key in an asymmetric key pair certified by a trusted third party known as a certificate authority within a Public Key Infrastructure (PKI). Distribution of these certified key pairs, or PKI credentials, for authentication of users is traditionally performed on hardware tokens such as smart cards or key fobs, but can be installed locally in the client device used to access the remote information system in order to improve the user experience. Certifying keys on the hardware token or client device for this purpose necessitates identity vetting by a registration authority to ensure that the possessor of the private key is the individual identified in the PKI credential's X.509 certificate. Some organizations use a derived credential issuance model to issue PKI credentials, wherein proof of possession of a previously-issued hardware token, through electronic authentication, can be used in place of in-person identity vetting to authorize the enrollment of a new PKI credential installed locally on the client device. These derived credential issuance models necessitate the deployment of hardware tokens prior to the issuance of derived credentials. Once in-person identity vetting has been performed for the issuance of the hardware token, further identity vetting is not required for subsequent credentials. Also, in existing systems that use biometric sampling to authorize access to keys stored locally on a client device, the biometric samples are only used to unlock access to resources stored locally on the device and the client device must already be in possession of certified keys in order to authenticate to remote systems.
A paper entitled “Guidelines for Derived Personal Identity Verification (PIV) Credentials” by the National Institute of Standards and Technology, NIST Special Publication 800-157, December 2014, by Hildegard Ferraiolo et al. describes technical guidelines for the implementation of standards-based, secure, reliable, interoperable public key infrastructure (PKI) based identity credentials that are issued by federal departments and agencies to individuals who possess and prove control over a valid PIV card.
A paper entitled “Biometric Specifications for Personal Identity Verification” by the National Institute of Standards and Technology, NIST Special Publication 800-76-2, July 2013, by Patrick Grother et al. describes the Personal Identity Verification (PIV) standard for federal employees and contractors. This paper also describes technical acquisition and formatting specifications for a PIV system, including a PIV card.
A paper entitled “Cryptographic Message Syntax (CMS)” by R. Housley, Network Working Group, September 2009, describes the Cryptographic Message Syntax (CMS) which is used to digitally sign, digest, authenticate, or encrypt arbitrary message content.
A paper entitled “A Software Consulting Service for Network Users” by Alexander McKenzie, Network Working Group, Nov. 27, 1972, describes a software consulting service for network users.
A paper entitled “Enrollment over Secure Transport” by M. Pritikin et al., Internet Engineering Task Force, October 2013, describes certificate enrollment for clients using Certificate Management over CMS (CMC) messages over a secure transport.
A paper entitled “Simple Certificate Enrollment Protocol” by M. Pritikin et al., Internet Engineering Task Force, Sep. 7, 2011, describes the Simple Certificate Enrollment Protocol (SCEP), a Public Key Infrastructure (PKI) communication protocol which leverages existing technology by using PKCS #7 and PKCS #10 over HTTP.
A paper entitled “Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)” by C. Adams et al., Network Working Group, September 2005, describes an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements.
A paper entitled “Certificate Management over CMS (CMC)” by J. Schaad et al., Network Working Group, June 2008, defines the base syntax for CMC, a Certificate Management protocol using the Cryptographic Message Syntax (CMS).